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DETAILED ACTION 



1 . This action is in response to the RCE filed 12/10/2004. Claims 1 and 4-8 have 
been amended; claims 9-1 1 have been canceled; claims 12-24 have been added. 

Response to Arguments 

2. Applicant's arguments with respect to claims 1-4 and 8 have been considered but 
are moot in view of the new ground(s) of rejection. 

3. Applicant's arguments, see the last paragraph of page 1 1 , filed 12/10/2004, with 
respect to the rejection of claim 5 under 35 U.S.C. 103(a) have been fully considered 
and are persuasive. The rejection of claim 5 has been withdrawn. 

Claim Objections 

4. Claim 1 is objected to because of the following informalities: "to authenticated" 
(line 8) should be changed to "to authenticate". Appropriate correction is required. 

Claim Rejections - 35 USC §112 

5. The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 
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6. Claims 12 and 14 are rejected under 35 U.S.C. 112, first paragraph, as failing to 
comply with the enablement requirement. The claim(s) contains subject matter which 
was not described in the specification in such a way as to enable one skilled in the art to 
which it pertains, or with which it is most nearly connected, to make and/or use the 
invention. Claims 12 and 14 are directed to a method and system for authentication in a 
distributed environment comprising requesting a service at a first data processing agent 
by a user, authenticating the user at a second data processing agent and, upon 
successful authentication, transmitting authentication information including the user's 
name and password to the first data processing agent for authenticating subsequent 
requests from the user. Authentication information such as passwords is sensitive 
information and needs to be protected when being transmitted between data processing 
agents. Without such a protection, passwords can be accessed by unauthorized 
person(s). However, the specification fails to convey any information about protection 
of passwords. Thus, the disclosure fails to enable one skilled in the art to make and use 
the claimed invention. 

7. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

8. Claims 5-7, 16-20, 8 and 21-24 are rejected under 35 U.S.C. 112, second 
paragraph, as being indefinite for failing to particularly point out and distinctly claim the 
subject matter which applicant regards as the invention. 
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Regarding claim 5 f it recites the limitation "the first timeout period" in the last line. 
There is insufficient antecedent basis for this limitation in the claim. The limitation is 
interpreted as "the first timeout value" (see line 9). Similar problems are found in lines 
1 5 of claim 8, 6-7 of claim 21 . 

Regarding claim 22, it recites the limitation "the second predetermined period" in 
line 1 . There is insufficient antecedent basis for this limitation in the claim. The 
limitation is interpreted as "the second time period" (see lines 9-10). 

Claims that are not specifically addressed are rejected by virtue of their 
dependencies. 

Claim Rejections - 35 USC § 103 

9. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

10. Claim 1-4, 8, 13, 15, 21-22 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Gupta et al (6,226,752) in view of Moriconi et al. (6,158,010). 

Regarding claims 1 and 4 (claim 1 being exemplary), Gupta discloses a method 
of authenticating a user of a client computer at a server computer, comprising the steps 
of: receiving a service request from the user at a first data processing agent (col. 1 1 , 
line 45 - col. 12, line 6); submitting an authentication request from the first data 



Application/Control Number: 09/585,747 Page 5 

Art Unit: 2132 

processing agent to a second data processing agent to authenticate the user (col. 12, 
lines 13-23); receiving a response to the authentication request at the first data 
processing agent from the second data processing agent, wherein if the user is 
successfully authenticated, the response includes authentication information that the 
first data processing agent can use to authenticate a subsequent user service request 
without submitting a subsequent authentication request to the second data processing 
agent (col. 12, lines 24-52; col. 13, lines 19-26); and if the received response indicates 
that the user is successfully authenticated, providing the requested service to the user 
(col. 12, line 62 - col. 13, line 18). Gupta does not disclose that the data processing 
agents are on the same server. Moriconi et al. disclose that two data processing agents 
are implemented on the same server (col. 10, line 64 - col. 1 1 , line 6). It would have 
been obvious to one of ordinary skill in the art at the time the invention was made 
modify the method of Gupta such that the first and second data processing agents are 
implemented on the same server, as taught by Moriconi, in order to provide maximum 
performance and minimize network traffic overhead. 

Regarding claim 2, Gupta does not disclose that the received response includes 
a level of access privileges for the user, and the providing step includes the step of 
determining the service provided to the user based upon the user's access privilege 
level. Moriconi discloses a level of access privileges for a user (col. 7, lines 41-41 ) and 
the step of determining the service provided to the user based upon the user's access 
privilege level (col. 8, lines 25-28, col. 13, lines 18-23). It would have been obvious to 
one of ordinary skill in the art at the time the invention was made modify the method of 
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Gupta such that the received response includes a level of access privileges for the user, 
and the providing step includes the step of determining the service provided to the user 
based upon the user's access privilege level, as taught by Moriconi. The motivation for 
doing so would have been to provide service to authorized users only. 

Regarding claim 3, Gupta further discloses that the first data processing agent is 
included in an application server and the second data processing agent is included in a 
login server (see fig. 2). 

Regarding claim 8, Gupta discloses a system for authenticating a user comprises 
a first server including a first data processing agent for receiving a service request from 
the user (col. 11, line 45 - col. 12, line 6); a second server including second data 
processing agent for authenticating the user (col. 12, lines 13-23), wherein the first data 
processing agent is configured to submit an authentication request to the second data 
processing agent to authenticate the user (col. 12, lines 13-23), wherein the second 
data processing agent is configured to receive the authentication request, attempt to 
authenticate the user, store a first timeout value indicative of a first predetermined 
period if the user is authenticated and determine if the first predetermined period is 
exceeded (col. 12, lines 24-43; col. 13, line 65 - col. 14, line 4), wherein the first data 
processing agent is configured to require the user to be re-authenticated at the second 
data processing agent upon receipt of a second service request if the first 
predetermined period is exceeded before the second service request is received (col. 
14, lines 8-11). 
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Gupta does not explicitly disclose that the first data processing agent is 
configured to notify the second data processing agent if a second service request is 
received from the user and the second data processing agent is configured to restart 
the first timeout period in response to receiving the notification. However, these 
features are deemed to be inherent to the Gupta system as lines 19-23 of col. 13 show 
that the second data processing agent does not have knowledge of subsequent 
requests from the user, and yet, the second data processing agent monitors the first 
predetermined period (col. 13, line 65 - col. 14, line 4). The Gupta system would be 
inoperative if the first data processing agent was not configured to notify the second 
data processing agent if a second service request is received from the user and the 
second data processing agent was not configured to restart the first timeout period in 
response to receiving the notification. 

Gupta does not disclose that the first and second data processing agents are on 
the same server. Moriconi et al. disclose that a first and second data processing agents 
are implemented on the same server (col. 10, line 64-col. 11, line 6). It would have 
been obvious to one of ordinary skill in the art at the time the invention was made 
modify the method of Gupta such that the first and second data processing agents are 
implemented on the same server, as taught by Moricono, in order to provide maximum 
performance and minimize network traffic overhead. 

Gupta does not disclose a plurality of first data processing agents at the same 
server. However, Examiner takes Official Notice that having a plurality of first data 
processing agents at the same server is well known in the art. It would have been 
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obvious at the time of the invention was made to have a plurality of first data processing 
agents at the same server since Examiner takes Official Notice that having a plurality of 
first data processing agents at the same server so that different services can be 
accessed from one server is well known in the art. 

Regarding claims 13 and 15, Gupta further discloses storing the received 
authentication information on the first data processing agent; receiving a second service 
request from the user at the first data processing agent; and using the stored 
authentication information to authenticate the user without submitting a subsequent 
authentication request to the second data processing agent (col. 13, lines 19-26). 

Regarding claim 21 , Gupta further discloses storing a second timeout value 
indicative of a second time period if the user is authenticated; and if the first data 
processing agent receives the second service request before the second timeout period 
. is exceeded, restart the second timeout period and provide the requested service to the 
user without requiring the user to be authenticated at the second data processing agent 
(col. 11, line45-col. 12, line 6; col. 13, line 65-col. 14, line 11). 

Regarding claim 22, Gupta further discloses that the first data processing agent 
still needs to refer to the first predetermined time period maintained at the second data 
processing agent in order to make a decision whether to terminate a session although 
the second time period is maintained at the first data processing agent (col. 14, lines 4- 
1 1 ). This suggests that the two timeout values are not the same and that the second 
timeout value is less than the first timeout value. 
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11. Claims 12 and 14 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Gupta in view of Moriconi as applied to claims 1 and 14 above, and further in view 
of Purpura (6,421,768). Gupta does not disclose that authentication information 
transferred between the data processing agents includes a user name and a password 
associated with the user. Purpura discloses transferring authentication information 
including a user name and a password associated with a user from a first server to a 
second server after the user has been authenticated at the first server (col. 3, line 48- 
58). It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the Gupta method such that that authentication 
information includes a user name and a password associated with the user, as taught 
by Purpura, to facilitate the second server's authentication of the user. 

12. Claims 23-24 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Gupta in view of Moriconi as applied to claim 22 above, and further in view of 
Hambrecht et al (6,629,082). Gupta does not disclose that the user sets the timeout 
values. Hambrecht discloses allowing users to set timeout values (col. 20, lines 4-7, 40- 
44). It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the Gupta system such that that the user sets the timeout 
values, as taught by Hambrecht, in order to accommodate user's preference. 



Allowable Subject Matter 



Application/Control Number: 09/585,747 Page 10 

Art Unit: 2132 

1 3. Claim 5 would be allowable if rewritten or amended to overcome the rejection(s) 
under 35 U.S.C. 112, 2nd paragraph, set forth in this Office action. 

14. The following is a statement of reasons for the indication of allowable subject 
matter. Claims 5-7 and 16-20 are directed to an authentication method in a distributed 
environment in which a first data processing agent utilizes a second data processing 
agent for authenticating a first request for service from a user received at the first data 
processing agent, and the second data processing agent monitors an inactivity timeout 
period associated with the user's session with the first data processing agent. More 
specifically, independent claim 5 identifies the uniquely distinct feature: "if a second 
request is received from the user at another of the plurality of first data processing 
agents before the first time period is exceeded, restarting the first timeout period". The 
closest prior art, Gupta et al, discloses an authentication method in a distributed 
environment in which the first timeout period is restarted if a second request of the 
same session is received; however, Gupta does not teach that the first timeout period is 
restarted if a second request is received from the user at another first data processing 
agent. The prior art, taken either singly or in combination, fails to anticipate or fairly 
suggest the limitations of applicant's independent claim, in such a manner that a 
rejection under 35 U.S.C 102 or 103 would be proper. The claimed invention is 
therefore considered to be in condition for allowance as being novel and nonobvious 
over prior art. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Minh Dinh whose telephone number is 571-272-3802. 
The examiner can normally be reached on Mon-Fri: 10:00am-6:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-21 7-9197 (toll-free). 
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